diff --git a/README.md b/README.md
index 1622686..f579e1c 100644
--- a/README.md
+++ b/README.md
@@ -127,6 +127,7 @@ Before using this module, ensure you have the following:
| [aws_iam_role.ecs_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.ecs_ebs_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.ecs_service_role_ecs_task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.ecs_task_role_xray_daemon_write_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_user.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy.kms_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [aws_lb.directus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
@@ -170,6 +171,7 @@ Before using this module, ensure you have the following:
| [enable\_ecs\_volume](#input\_enable\_ecs\_volume) | Whether to enable ECS volume | `bool` | `false` | no |
| [enable\_s3\_bucket\_versioning](#input\_enable\_s3\_bucket\_versioning) | Whether to enable S3 bucket versioning | `bool` | `true` | no |
| [enable\_ses\_emails\_sending](#input\_enable\_ses\_emails\_sending) | Whether to enable sending emails using SES | `bool` | `false` | no |
+| [enable\_xray\_integration](#input\_enable\_xray\_integration) | Whether to enable X-Ray integration | `bool` | `false` | no |
| [force\_new\_ecs\_deployment\_on\_apply](#input\_force\_new\_ecs\_deployment\_on\_apply) | Whether to force a new deployment of the ECS service on apply | `bool` | `false` | no |
| [image\_tag](#input\_image\_tag) | The tag of the Docker image | `string` | `"latest"` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | The ID of the KMS key | `string` | `""` | no |
diff --git a/containers.tf b/containers.tf
new file mode 100644
index 0000000..e87527f
--- /dev/null
+++ b/containers.tf
@@ -0,0 +1,80 @@
+locals {
+ directus_container = {
+ name = local.service_name
+ image = "directus/directus:${var.image_tag}"
+ cpu = var.cpu
+ memory = var.memory
+ essential = true
+ secrets = concat([
+ { name : "SECRET", valueFrom : aws_secretsmanager_secret_version.directus_secret_version.arn },
+ { name : "ADMIN_PASSWORD", valueFrom : aws_secretsmanager_secret_version.directus_admin_password_version.arn },
+ { name : "DB_PASSWORD", valueFrom : "${var.rds_database_password_secrets_manager_arn}:password::" },
+ { name : "STORAGE_S3_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
+ { name : "STORAGE_S3_SECRET", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
+ ],
+ var.enable_ses_emails_sending ? [
+ { name : "EMAIL_SES_CREDENTIALS__ACCESS_KEY_ID", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
+ { name : "EMAIL_SES_CREDENTIALS__SECRET_ACCESS_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
+ ] : [])
+ environment = [for key, value in local.environment_vars : {
+ name = key
+ value = value
+ }]
+ linuxParameters = {
+ initProcessEnabled = true
+ }
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ "awslogs-create-group" = var.create_cloudwatch_logs_group ? "true" : "false"
+ "awslogs-group" = "/aws/ecs/${var.application_name}"
+ "awslogs-region" = data.aws_region.current.name
+ "awslogs-stream-prefix" = var.cloudwatch_logs_stream_prefix
+ }
+ }
+ healthCheck = {
+ command = ["CMD-SHELL", "wget -qO- http://localhost:${local.directus_port}${local.healthcheck_path} | grep -q 'ok' || exit 1"]
+ interval = 60
+ timeout = 10
+ retries = 10
+ startPeriod = 60
+ }
+ portMappings = [
+ {
+ containerPort = local.directus_port
+ hostPort = local.directus_port
+ protocol = "tcp"
+ }
+ ]
+ }
+
+ xray_daemon_container = {
+ name = "xray-daemon"
+ image = "public.ecr.aws/xray/aws-xray-daemon:3.x"
+ cpu = 32
+ memory = 256
+ entryPoint = ["/xray", "-b", "0.0.0.0:2000", "-o"]
+ essential = true
+ healthCheck = {
+ command = ["CMD", "/xray", "--version", "||", "exit 1"]
+ interval = 5
+ timeout = 2
+ retries = 1
+ }
+ logConfiguration = {
+ logDriver = "awslogs"
+ options = {
+ "awslogs-create-group" = var.create_cloudwatch_logs_group ? "true" : "false"
+ "awslogs-group" = "/aws/ecs/${var.application_name}-xray-daemon"
+ "awslogs-region" = data.aws_region.current.name
+ "awslogs-stream-prefix" = var.cloudwatch_logs_stream_prefix
+ }
+ }
+ portMappings = [
+ {
+ containerPort = 2000
+ protocol = "udp"
+ }
+ ]
+ }
+}
diff --git a/examples/main.tf b/examples/main.tf
index 446cb90..1f64129 100644
--- a/examples/main.tf
+++ b/examples/main.tf
@@ -52,6 +52,7 @@ module "directus" {
ecs_service_enable_execute_command = true # Allows you to connect via CLI to the ECS Task Container (just like `docker exec`). It's disabled by default.
enable_ses_emails_sending = true
enable_ecs_volume = false
+ enable_xray_integration = true
force_new_ecs_deployment_on_apply = true
# Add additional custom configuration here (https://docs.directus.io/self-hosted/config-options.html#configuration-options)
diff --git a/iam.tf b/iam.tf
index dbb40d0..074907a 100644
--- a/iam.tf
+++ b/iam.tf
@@ -50,6 +50,12 @@ resource "aws_iam_role_policy_attachment" "ecs_service_role_ecs_task_execution"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
+resource "aws_iam_role_policy_attachment" "ecs_task_role_xray_daemon_write_access" {
+ count = var.enable_xray_integration ? 1 : 0
+ role = aws_iam_role.ecs_task_role.name
+ policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+}
+
resource "aws_iam_role" "ecs_task_role" {
name = "${var.application_name}-ecs-task-role"
diff --git a/main.tf b/main.tf
index 128e21b..dcb6fef 100644
--- a/main.tf
+++ b/main.tf
@@ -57,56 +57,7 @@ locals {
} : {}
)
- container_definitions = [
- {
- name = local.service_name
- image = "directus/directus:${var.image_tag}"
- cpu = var.cpu
- memory = var.memory
- essential = true
- secrets = concat([
- { name : "SECRET", valueFrom : aws_secretsmanager_secret_version.directus_secret_version.arn },
- { name : "ADMIN_PASSWORD", valueFrom : aws_secretsmanager_secret_version.directus_admin_password_version.arn },
- { name : "DB_PASSWORD", valueFrom : "${var.rds_database_password_secrets_manager_arn}:password::" },
- { name : "STORAGE_S3_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
- { name : "STORAGE_S3_SECRET", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
- ],
- var.enable_ses_emails_sending ? [
- { name : "EMAIL_SES_CREDENTIALS__ACCESS_KEY_ID", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_id::" },
- { name : "EMAIL_SES_CREDENTIALS__SECRET_ACCESS_KEY", valueFrom : "${aws_secretsmanager_secret_version.directus_serviceuser_secret_version.arn}:access_key_secret::" }
- ] : [])
- environment = [for key, value in local.environment_vars : {
- name = key
- value = value
- }]
- linuxParameters = {
- initProcessEnabled = true
- }
- logConfiguration = {
- logDriver = "awslogs"
- options = {
- "awslogs-create-group" = var.create_cloudwatch_logs_group ? "true" : "false"
- "awslogs-group" = "/aws/ecs/${var.application_name}"
- "awslogs-region" = data.aws_region.current.name
- "awslogs-stream-prefix" = var.cloudwatch_logs_stream_prefix
- }
- }
- healthCheck = {
- command = ["CMD-SHELL", "wget -qO- http://localhost:${local.directus_port}${local.healthcheck_path} | grep -q 'ok' || exit 1"]
- interval = 60
- timeout = 10
- retries = 10
- startPeriod = 60
- }
- portMappings = [
- {
- containerPort = local.directus_port
- hostPort = local.directus_port
- protocol = "tcp"
- }
- ]
- }
- ]
+ container_definitions = concat([local.directus_container], var.enable_xray_integration ? [local.xray_daemon_container] : [])
}
data "aws_region" "current" {}
@@ -434,8 +385,8 @@ resource "aws_ecs_task_definition" "directus" {
network_mode = "awsvpc"
- cpu = var.cpu
- memory = var.memory
+ cpu = var.enable_xray_integration ? var.cpu * 2 : var.cpu
+ memory = var.enable_xray_integration ? var.memory * 2 : var.memory
execution_role_arn = module.ecs.task_exec_iam_role_arn
task_role_arn = aws_iam_role.ecs_task_role.arn
diff --git a/variables.tf b/variables.tf
index 161c9f2..b53dcc0 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,6 +22,12 @@ variable "load_balancer_prefix_list_ids" {
default = []
}
+variable "enable_xray_integration" {
+ description = "Whether to enable X-Ray integration"
+ type = bool
+ default = false
+}
+
variable "enable_ecs_volume" {
description = "Whether to enable ECS volume"
type = bool